npm - @boxyhq/saml-jackson - Versions diffs - 0.2.2-beta.169 → 0.2.2-beta.174 - Mend

@boxyhq/saml-jackson 0.2.2-beta.169 → 0.2.2-beta.174

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/README.md CHANGED Viewed

@@ -85,7 +85,21 @@ router.get('/api/v1/saml/config', async (req, res) => {
     });
   }
 });
+// delete config
+router.delete('/api/v1/saml/config', async (req, res) => {
+  try {
+    // apply your authentication flow (or ensure this route has passed through your auth middleware)
+    ...
+    // only when properly authenticated, call the config function
+    await apiController.deleteConfig(req.body);
+    res.status(200).end();
+  } catch (err) {
+    res.status(500).json({
+      error: err.message,
+    });
+  }
+});
 // OAuth 2.0 flow
 router.get('/oauth/authorize', async (req, res) => {
   try {
@@ -228,6 +242,26 @@ curl -G --location 'http://localhost:6000/api/v1/saml/config' \
 The response returns a JSON with `provider` indicating the domain of your Identity Provider. If an empty JSON payload is returned then we do not have any configuration stored for the attributes you requested.
+#### 2.2 SAML delete config API
+This endpoint can be used to delete an existing IdP metadata.
+```
+curl -X "DELETE" --location 'http://localhost:6000/api/v1/saml/config' \
+--header 'Authorization: Api-Key <Jackson API Key>' \
+--header 'Content-Type: application/x-www-form-urlencoded' \
+--data-urlencode 'tenant=boxyhq.com' \
+--data-urlencode 'product=demo'
+```
+```
+curl -X "DELETE" --location 'http://localhost:6000/api/v1/saml/config' \
+--header 'Authorization: Api-Key <Jackson API Key>' \
+--header 'Content-Type: application/x-www-form-urlencoded' \
+--data-urlencode 'clientID=<Client ID>'
+--data-urlencode 'clientSecret=<Client Secret>'
+```
 ### 3. OAuth 2.0 Flow
 Jackson has been designed to abstract the SAML login flow as a pure OAuth 2.0 flow. This means it's compatible with any standard OAuth 2.0 library out there, both client-side and server-side. It is important to remember that SAML is configured per customer unlike OAuth 2.0 where you can have a single OAuth app supporting logins for all customers.

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@boxyhq/saml-jackson",
-  "version": "0.2.2-beta.169",
+  "version": "0.2.2-beta.174",
   "license": "Apache 2.0",
   "description": "SAML 2.0 service",
   "main": "src/index.js",

package/src/controller/api.js CHANGED Viewed

@@ -127,10 +127,41 @@ const getConfig = async (body) => {
   }
 };
+const deleteConfig = async (body) => {
+  const { clientID, clientSecret, tenant, product } = body;
+  if (clientID) {
+    if (!clientSecret) {
+      throw new JacksonError('Please provide clientSecret', 400);
+    }
+    const samlConfig = await configStore.get(clientID);
+    if (!samlConfig) {
+      return;
+    }
+    if (samlConfig.clientSecret === clientSecret) {
+      await configStore.delete(clientID);
+    } else {
+      throw new JacksonError('clientSecret mismatch', 400);
+    }
+  } else {
+    const samlConfigs = await configStore.getByIndex({
+      name: indexNames.tenantProduct,
+      value: dbutils.keyFromParts(tenant, product),
+    });
+    if (!samlConfigs || !samlConfigs.length) {
+      return;
+    }
+    for (const conf of samlConfigs) {
+      await configStore.delete(conf.clientID);
+    }
+  }
+};
 module.exports = (opts) => {
   configStore = opts.configStore;
   return {
     config,
     getConfig,
+    deleteConfig,
   };
 };

package/src/jackson.js CHANGED Viewed

@@ -130,6 +130,22 @@ internalApp.get(apiPath + '/config', async (req, res) => {
   }
 });
+internalApp.delete(apiPath + '/config', async (req, res) => {
+  try {
+    const apiKey = extractAuthToken(req);
+    if (!validateApiKey(apiKey)) {
+      res.status(401).send('Unauthorized');
+      return;
+    }
+    await apiController.deleteConfig(req.body);
+    res.status(200).end();
+  } catch (err) {
+    res.status(500).json({
+      error: err.message,
+    });
+  }
+});
 let internalServer = server;
 if (env.useInternalServer) {
   internalServer = internalApp.listen(env.internalHostPort, async () => {

package/src/test/api.test.js CHANGED Viewed

@@ -143,10 +143,35 @@ tap.test('controller/api', async (t) => {
       );
       t.equal(response.provider, PROVIDER);
-      const savedConf = await apiController.getConfig({
+      let savedConf = await apiController.getConfig({
         clientID: CLIENT_ID,
       });
       t.equal(savedConf.provider, PROVIDER);
+      try {
+        await apiController.deleteConfig({ clientID: CLIENT_ID });
+        t.fail('Expecting JacksonError.');
+      } catch (err) {
+        t.equal(err.message, 'Please provide clientSecret');
+        t.equal(err.statusCode, 400);
+      }
+      try {
+        await apiController.deleteConfig({
+          clientID: CLIENT_ID,
+          clientSecret: 'xxxxx',
+        });
+        t.fail('Expecting JacksonError.');
+      } catch (err) {
+        t.equal(err.message, 'clientSecret mismatch');
+        t.equal(err.statusCode, 400);
+      }
+      await apiController.deleteConfig({
+        clientID: CLIENT_ID,
+        clientSecret: 'f3b0f91eb8f4a9f7cc2254e08682d50b05b5d36262929e7f',
+      });
+      savedConf = await apiController.getConfig({
+        clientID: CLIENT_ID,
+      });
+      t.same(savedConf, {}, 'should return empty config');
       dbutils.keyDigest.restore();
       crypto.randomBytes.restore();